2 Answers
2

There are a variety of approaches to promote the discovery and fixing of software vulnerabilities. The most common ways to provide compensation to researchers are bug bounties (run by vendors) and vulnerability brokers (who buy and sell information on vulnerabilities applicable to popular software). These are well described in A Comparison of Market Approaches to Software Vulnerability Disclosure (2006) by Rainer Böhme, but he notes that they are each badly flawed and don't lead to the kind of research investment or vendor engagement that we need to deal with the enormous problems of insecure software. The black-hat vulnerability brokers, who don't release the exploits to the vendors, pay much more (a factor of 10?) to black-hat researchers than the more ethical brokers do. The result is that a large fraction of the research goes underground and contributes to Internet insecurity rather than security.

I think that Böhme's proposal for exploit derivatives is a very promising form of market to explore, to achieve exactly what you're talking about. It gives researchers a way to make money by discovering a vulnerability without having to disclose it in a dangerous way. As Böhme writes:

consider a contract that pays its owner the sum of 100 EUR on, say, 30 June 2006 if there exists a remote root exploit against a precisely speciﬁed version of ssh on a deﬁned platform. It is easy to issue this kind of contacts, since you would sell it as a bundle with the inverse contract that pays 100 EUR if the ssh program is not broken within the maturity. Then, diﬀerent parties can trade the contracts on a electronic trading platform that matches bid and ask prices, settles the deals, and publishes the price quotes.

[This kind of market would attract a variety of groups of market participants:]

software users would demand contracts paying on breaches in order to hedge the risks they are exposed to due to their computer network.....

Software vendors could demand contracts that pay if their software remains secure as a means to signal to their customers that they trust their own system; or contracts that pay if their competitors’ software breaks.....

software vendors [could] use exploit derivatives as part of their compensation schemes to give developers an incentive to secure programming....

Finally, security experts could use the market to capitalize eﬀort in security analyses. If,
after a code review, they consider a software as
secure, they could buy contracts on the secure
state at a higher rate than the market price.

The main problem seems to be that various laws can be used in various jurisdictions to inhibit the flow of information about vulnerabilities, as Schwalb discusses, so that is something to work on, and he proposes an idea for enabling a pilot of this kind of market by making exceptions to the law for the emerging important but risky world of ipv6 vulnerabilities.